I am happy to announce that FTS has graciously given me a trial of iXAM.  The results of this study will be published in the upcoming book. "iPhone Forensic Analysis".  Some of the other tools that will be reviewed, are as follows

Access Data FTK 3.0
Cellebrite UFED
Paraben Device Siezure
Susteen Secure View
Oxygen Forensic Suite 2010
MSAB .XRY and .XACT
Fernico ZRT
ABC Amber iPhone Converter

and many free tools

Keep your eyes and ears open, something is coming January 2009, St. Louis, MO

Was doing some work for the PFIC 2009 Conference, and I was looking at the SMS.db of a logical backup.  I was looking at the database in a Hex Editor, and to my surprise I saw a SMS that I received from my former Boss that I had deleted.  So I looked even further and found some more, not just the content of the text, the phone number associated, all what you normally find in a non-deleted text.   So, now one more item that can be retrieved from the logical data, and no need to conduct a intrusive search on the iPhone.  There is a utility for windows that claims to retrieve deleted SMS from the logical backup.  Haven't validated this tool yet.  When I have completed testing, I will post the results.

So, you want to jailbreak your iPhone,  you may want to read this before using the latest and greatest hacks out there.

Question from Techno Forensics Conference

Have you seen Picture Safe? 

Picture Safe

After using Picture Safe application on the iPhone, I found that it's not so safe, the passcode is in plain text in the plist and the images are very readable. All from the Logical backup. Not a secure application, should be given away, not worth the $1.99.

Picture Vault

That  is another story, all the images are placed in readable folders, however the images themselves are encrypted.

With the EFF trying to make jailbreaking legal.  The effects on LE could have far reaching implications.  First with the possibility that jailbreaking leaves the iPhone vulnerable to attack, Second, the position that Apple has taken in that a jailbroken phone can do damage to our infrastructure.  Not to add more but, to be able to charge a person federally with a crime.  Bravo, ICE with charging individuals with violations of the DMCA.

There has been alot of chatter in reference to a possible release of a tablet device from Apple.  With the return of Steve Jobs,  the clamor has been getting louder.  Apple is known for great disinformation campaigns and alot of us feed into it.  If Apple is to release a tablet and join the netbook market, Apple has to raise the bar and change the game.  A tablet from Apple has to look cool, and function far better than existing and future netbooks.  Alot of speculators believe that the tablet will appear in November, just in time for Christmas.  Why not bring it out at CES 2010?  That only Apple knows. 

The pro ported iPhone Encryption of the iPhone, is easily bypassed with widely proliferated jailbreaks.  iPhone owners need to keep better track of their phones.  If you don't passcode your phone, do it.  If you don't have a mobile Me Account,  have one.  AT&T and or Apple needs to allow Mobile Me account owners to wipe their phones with a simple call to AT&T.  Not everyone can get to the Internet right after they notice that their phone is missing. 

In OS X everyone should be concerned with File Vault passwords.  Cracking File Vault isn't that difficult. 

1. there is an end around that investigators need to try first.

a.In the /private/var/vm folder, sits the sleep image and swap files.  the sleep image is a system image similar to Windows Hiberfile.  The difference is that there is a wealth of information that can be gleaned from the sleepimage.  Since the subject matter is File Vault, we will limit the dicussion to it.  Passwords for file vault can ( and emphasize can, not always) be found in the sleep image.  Since everything is mostly plain text, a simple search can locate not only File Vault passwords, but a multitude of passwords.

b.So how do we find them.  Well, there are two ways.  from the command line create a grep expression that looks for text after "longname". This will locate all user name and passwords from the sleepimage. Look at all the hits.  the hits with the passwords, will have theuser name followed by "password" and the actual password in plain text. for example,

     strings -8 /var/vm/sleepimage | grep -A 4 -i longname

c.For windows examiners, Encase can be used to locate them as well. First from the tree pane navigate and locate the sleepimage. Blue check the sleep image and create a keyword for "longname".  Run the keyword search and minimize the search to the single blue checked sleepimage. Look at all the hits.  the hits with the passwords, will have the user name followed by "password" and the actual password in plain text.

2.  If the passwords can't be located then your going to have to use some tools that can crack File Vault.  There are a couple of tools that can assist in this.  One, well you have to be LE and if you email me, you can get it to you free. George Starcher has also created crowbarDMG.